Russian Vulnerability Scanner Database

Back to List

CVE-2024-56599

Scores

EPSS

0.000none0.0%
0%20%40%60%80%100%

Percentile: 0.0%

CVSS

5.5medium3.x
0246810

CVSS Score: 5.5/10

All CVSS Scores

CVSS 3.x
5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath10k: avoid NULL pointer error during sdio remove

When running ‘rmmod ath10k’, ath10k_sdio_remove() will free sdio
workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON
is set to yes, kernel panic will happen:
Call trace:
destroy_workqueue+0x1c/0x258
ath10k_sdio_remove+0x84/0x94
sdio_bus_remove+0x50/0x16c
device_release_driver_internal+0x188/0x25c
device_driver_detach+0x20/0x2c

This is because during ‘rmmod ath10k’, ath10k_sdio_remove() will call
ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release()
will finally be called in ath10k_core_destroy(). This function will free
struct cfg80211_registered_device *rdev and all its members, including
wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio
workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.

After device release, destroy_workqueue() will use NULL pointer then the
kernel panic happen.

Call trace:
ath10k_sdio_remove
->ath10k_core_unregister
……
->ath10k_core_stop
->ath10k_hif_stop
->ath10k_sdio_irq_disable
->ath10k_hif_power_down
->del_timer_sync(&ar_sdio->sleep_timer)
->ath10k_core_destroy
->ath10k_mac_destroy
->ieee80211_free_hw
->wiphy_free
……
->wiphy_dev_release
->destroy_workqueue

Need to call destroy_workqueue() before ath10k_core_destroy(), free
the work queue buffer first and then free pointer of work queue by
ath10k_core_destroy(). This order matches the error path order in
ath10k_sdio_probe().

No work will be queued on sdio workqueue between it is destroyed and
ath10k_core_destroy() is called. Based on the call_stack above, the
reason is:
Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and
ath10k_sdio_irq_disable() will queue work on sdio workqueue.
Sleep timer will be deleted before ath10k_core_destroy() in
ath10k_hif_power_down().
ath10k_sdio_irq_disable() only be called in ath10k_hif_stop().
ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif
bus, so ath10k_sdio_hif_tx_sg() won’t be called anymore.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.
Learn more about Scaner-VS 7

Sources

astradebiannvdubuntu

CWEs

CWE-476

Related Vulnerabilities

BDU:2025-12223

Vulnerable Software (165)

Type: Configuration

Product: linux

Operating System: debian

Trait: 
{  "fixed": "6.12.5-1"}

Source: debian

Type: Configuration

Product: linux

Operating System: ubuntu bionic 18.04

Trait: 
{  "unaffected": true}

Source: ubuntu

Type: Configuration

Product: linux

Operating System: ubuntu focal 20.04

Trait: 
{  "fixed": "5.4.0-216.236"}

Source: ubuntu

Type: Configuration

Product: linux

Operating System: ubuntu jammy 22.04

Trait: 
{  "fixed": "5.15.0-140.150"}

Source: ubuntu

Type: Configuration

Product: linux

Operating System: ubuntu trusty 14.04

Trait: 
{  "unaffected": true}

Source: ubuntu

Type: Configuration

Product: linux

Operating System: ubuntu xenial 16.04

Trait: 
{  "unaffected": true}

Source: ubuntu

Type: Configuration

Product: linux-5.10

Operating System: astra 4.7.0

Trait: 
{  "unaffected": true}

Source: astra

Type: Configuration

Product: linux-5.15

Operating System: astra 4.7.0

Trait: 
{  "unaffected": true}

Source: astra

Type: Configuration

Product: linux-allwinner-5.19

Operating System: ubuntu jammy 22.04

Trait: 
{  "unfixed": true}

Source: ubuntu

Type: Configuration

Product: linux-aws

Operating System: ubuntu bionic 18.04

Trait: 
{  "unfixed": true}

Source: ubuntu